You have enabled DMARC and DMARC failure reporting and are now seeing network filtering processes, such as a Network Intrusion Detection, alert on SMTP traffic being sent by Messaging Gateway. The alerts indicate that Messaging Gateway is sending message containing malware attachments, or otherwise suspicious content such as links or spam, depending on the detection processes.

Messaging Gateway with DMARC and DMARC failure reporting enabled.

The DMARC protocol dictates that forensic/failure reporting contains a copy of the message that failed DMARC checking. When a message connection is received by Messaging Gateway and fails DMARC checking, a failure report containing the message that would have been received could be sent. The DMARC DNS configuration for the owning domain would need to be configured to request forensic/failure reports and Messaging Gateway would need to have failure reports enabled.

To mitigate this issue, DMARC failure reporting would need to be disabled or the network filtering process would need to exempt messages originating from the Messaging Gateway that are sent from the DMARC failure reporting sender address.